I suggest you read the first posting to understand how the data below is gathered.  That being said, let's examine another one of my honeynets:

The first thing you'll notice is there is a particular worm that first tries to connect to a random IP and port with a random GET request in an attempt to see if it's in a sandbox.  As I run my honeynet in a passive mode, the malware is able to detect it is sandboxed and thus doesn't do anything else.  By "passive mode", I mean that after we detect an exploit via Dynamic Taint Analysis, the rest of the network requests made by the VM have faked responses so we don't risk attacking another system.  It's not a technological challenge to defeat the type of countermeasure above, but as it could potentially put others at risk, we haven't done it.  I plan on adding a firewall on the outbound side of my honeynet so that I could have it in active mode, but at the same time automatically block any attacks/spam from my VMs.

Getting back to botnets, we see two of the heavy hitters in this snapshot.  The first is 'citi-bank.ru', which if you visit immediately redirects you to 'citibank.ru'.  However, if you look at the redirect page, you'll see encrypted bot commands:

root@alex_lanstein --- {~} wget 'http://citi-bank.ru/index.php?id=lnbsyalwhlnh&scn=0&inf=0&ver=19&cnt=USA'

root@alex_lanstein --- {~} cat index.php\?id\=lnbsyalwhlnh\&scn\=0\&inf\=0\&ver\=19\&cnt\=USA
<html>
<body>
<script>
 parent.self.location='http://citibank.ru'; // forward to main site
// bzawgpi|q<11s{t|/ccpz0qk1ueu0{in~oQ1?od?a?<h<6<_<Gg<dk6A@42D26f=Bh3S;4H;4?L:`F<bI5cb=5R>`p31Z<al=m<:^]3nc: // zer0ajcvk<11munv/wwjt0ke1oyo40uch~uYm13R2b:
?PQ25Y9CX2:W2]b2747Lf:E73@M;FV9[H<p:=<D82L6g^82b3fS3fj3[R5?F8nZ@
</script>

So who's enabling this botnet?
citi-bank.ru - 194.54.90.246 - Technologii Maybutnego LLC - Ukraine - abuse@hosting.ua

Next you can see proxim.ircgalaxy.pl (and proxima2.ircgalaxy.pl in another batch) on TCP/65520 with a IRC connection attempt like

NICK xpidhuue
USER f020501 . . :-

The "[a-z][digits]{6} dot dot colon hyphen" in the USER string is classic IRC.Virut.  Looking at the server we see:

proxim.ircgalaxy.pl - 58.65.234.89, 58.65.234.90 - HostFresh - Hong Kong - abuse@hostfresh.com

Of course, often the payload of an exploit will simply download another piece of malware which will do the real malicious action.  Above we can see the following (and as always, handle with care):

hxxp://a48574.angelfire.com / h.x VirusTotal reports 16 of its 38 AVs detect it 
hxxp://a48574.angelfire.com / m.x VirusTotal reports 15 of 37 (sometimes an AV product on their end has an issue)
hxxp://a48574.angelfire.com / mdk.x VirusTotal reports 28 of 37

Apparently there are a few mirrors in case one of the URLs is shut down:
hxxp://bojifun.com / h.x
hxxp://imfromiraq123456.angelfire.com / mdk.x
hxxp://chk7stn.angelfire.com / mdk.x

This means that simply by running your own honeypot, you could have picked up pieces of malware detected by less than 50% of the commercially available AV products.  Stuart Staniford, our Chief Scientist, wrote up a study of AV detection of modern malware dropped by web exploits that showed similar numbers, although his was obviously much more in depth.

Continuing to look back at this same honeynet we see:

In this shot we see 0x90.devtech.us on TCP/6556.  It looks like Sdbot to me, but it might be another Rbot variation.  Also, 0x90 is a cute domain name - obviously a reference to a NOP sled.  Here is the connect string:

NICK [XP|SP0]-NWlODd
USER USA 0 0 :FoGo
JOIN #S#

0x90.devtech.us - 67.43.231.213 - Gigeservers/GoboTech Communications - The company is out of NB, Canada, but the IP is hosted in Chicago - plquimper@gtcomm.net

Next we see moscow-advokat.ru using IRC.Parite on TCP/6667 having a communication like:

PASS gaknrshks
NICK hznswz_13
USER hznswz_13 8 * :ellqeosdg
JOIN #taty

moscow-advokat.ru - 194.6.222.11 - Prov.ru - Moscow, Russia - admin@prov.ru

There's only one more I want to go over and I intentionally separated it out.  The first reason is because there's graphic language in the image below, so it may offend some.  The second is because it is the largest IRC based botnet that I've found that isn't using dedicated servers.  It purely uses its own bots to host the C&Cs.

Above you can see botz.thedomain.com on TCP/65146 having a connection like:

NICK [BUZZOFF]-362023
USER ohfjsv 0 0 :[BUZZOFF]-362023
USERHOST [BUZZOFF]-362023
MODE [BUZZOFF]-362023 +xt
JOIN #a imallowed

The domain currently has 5 A entries, and I suppose that's because the actual bots get physically turned off from time to time.

24.205.15.xxx - Charter Communications customer in Los Angeles
71.85.120.xxx - Charter Communications customer in Washington, DC
71.87.92.xxx - Charter Communications customer in the Nebraska
24.143.59.xxx - Sunflower Broadband customer in Kansas
71.102.113.xxx - Verizon customer in Los Angeles

As shown above, you can gain significant insight into botnets and malware by running a "classic" honeypot. I suggest all the readers out there who have a few extra static IPs set up a honeypot using the link in the previous post.  What do you have to lose?

Happy New Year,

Alex Lanstein @ FireEye Malware Intelligence Lab
Questions/Comments to research@fireeye.com